Secure Software Development

CS/CYS 455 - Spring 2022

Catalog description:

This course introduces a variety of topics on implementing secure software using different programming languages. The primary focus is given to design and development techniques used to avoid the most common software errors by using defensive coding techniques, managing resources securely, and creating secure interaction between components.
Credits: 3

Who/where/when

Instructor Dr. Stan Kurkovsky, Professor of Computer Science
Office MS 303-06
Phone 860-832-2720
E-mail kurkovsky@ccsu.edu
Office hours MW 1500-1600 and TR 1000-1130, booking info
Class meetings TR 1215-1330 @ AIH 105

Textbook and other things you will need

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
  • 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them by Howard, LeBlanc, and Viega. McGraw-Hill Education, 2009, ISBN 0071626751
  • A Google account to access the Google Cloud Shell
  • Access to a laptop computer that can be brought to class on a regular basis
  • Instructor's web site available at http://www.cs.ccsu.edu/~stan/
  • Course project document
  • In-class code examples on GitHub

Course learning outcomes

Program educational objectives and student outcomes are supported by the following course learning outcomes achieved by students upon a successful completion of this course:

  1. Understand the basics of secure programming;
  2. Understand the most frequent programming errors leading to software vulnerabilities;
  3. Identify and analyze security problems in software;
  4. Understand and protect against security threats and software vulnerabilities;
  5. Effectively apply their knowledge to the construction of secure software systems.

Important: self-care

Please take care of yourselves and your loved ones. Your physical and mental well-being is the most important thing. It has always been (or should have been) so, even before the current pandemic. Please email/message me to check in if I won’t see you or hear from you on a day we have class or an assignment is due.

Tentative schedule

Week 1: January 19-21

  • Introduction: The Big Picture
    Topic (C/C++): The Role of C/C++ in Computer Security

Week 2: January 24-28

  • Topic (C/C++): Programming Review
  • Topic (C/C++): Programming Review, cont.

Week 3: January 31 - February 4

  • Topic (C/C++): Buffer Overruns
  • Topic (C/C++): Format String Problems

Week 4: February 7-11

  • Topic (C/C++): Integer Overflows
  • Topic (C/C++): Integer Overflows, cont.
    Homework assignment 1 is due

Week 5: February 14-18

  • Topic (C/C++): C++ Catastrophes
  • Topic (C/C++): C++ Catastrophes, cont.

Week 6: February 21-25

  • Topic (C/C++): Catching Exceptions
  • Topic (C/C++): Command Injection

Week 7: February 28 - March 4

  • Topic (C/C++): Failure to Handle Errors Correctly
  • Topic (C/C++): Information Leakage
    Course project: Proposal is due

Week 8: March 7-11

  • Topic (C/C++): Race Conditions
  • Topic (C/C++): Poor Usability
    Homework assignment 2 is due

Week 9: March 14-18

  • Spring break

Week 10: March 21-25

  • Topic (C/C++): Not Updating Easily
  • Midterm exam

Week 11: March 28 - April 1

  • Topic (C/C++): Executing Code with Too Much Privilege
  • Topic (C/C++): Failure to Protect Stored Data

Week 12: April 4-8

  • Topic (Crypto): Use of Weak Password-Based Systems
  • Topic (Crypto): Weak Random Numbers

Week 13: April 11-15

  • Topic (Crypto): Using Cryptography Incorrectly
  • Topic (Web): SQL Injection
    Homework assignment 3 is due

Week 14: April 18-22

  • Student presentation (Web): Server–Related Vulnerabilities (XSS, XSRF, and Response Splitting)
  • Student presentation (Web): Client–Related Vulnerabilities (XSS)
    Course project: Implementation is due

Week 15: April 25-29

  • Student presentation (Web): Use of Magic URLs, Predictable Cookies, and Hidden Form Fields
  • Student presentation (Net): Failing to Protect Network Traffic

Week 16: May 2-6

  • Student presentation (Net): Improper Use of PKI, Especially SSL
  • Student presentation (Net): Trusting Network Name Resolution
    Course project: Analysis is due

Week of final exams

  • Final exam: Tuesday, May 10, 1030-1230

Safety and contingencies

CCSU developed a blueprint outlining a number of important requirements and guidelines concerning the campus safely with regard to the pandemic. Specifically, masks must be worn at all times while we are in class--no exceptions.

In case the instructor becomes ill and can no longer attend classes, steps will be taken by the department to ensure consistent delivery of course content and enable students to complete the course during the scheduled timeframe. Adjustments may include moving the course to synchronous online, to asynchronous online, or keeping the course in its current format and assigning a new instructor to take over the class until the regular instructor can return. Each course is evaluated on a case-by-case basis as there are many factors to consider before making a transition from one-course format to another. If a course is unable to meet on-ground due to university requirements, then the department will follow university policies in place.

Midterm and final exams

Each test will focus on the most recent material. However, each test will very likely include some questions aimed at the material covered by the earlier test(s). Make-up tests may only be given if a student can provide a written proof of a serious reason for missing a test (such as illness or accident).

Course project

A project is the focal point of this course. Working in small teams, students will implement a secure and robust application that successfully addresses a number of vulnerabilities discussed in this course. All course project deliverables must be submitted using Blackboard in three separate increments.

Homework assignments

Homework assignments are to be completed individually and submitted via Blackboard. Students will have at least one week to complete each homework assignment.

Academic misconduct

All students are expected to demonstrate integrity in the completion of their coursework. Academic integrity means doing one's own work and giving proper credit to the work and ideas of others. It is the responsibility of each student to become familiar with what constitutes academic dishonesty and plagiarism and to avoid all forms of cheating and plagiarism. Students who engage in plagiarism and other forms of academic misconduct will face academic and possibly disciplinary consequences. Academic sanctions can range from a reduced grade for the assignment to a failing grade for the course. From a disciplinary standpoint, an Academic Misconduct Report may be filed and a Faculty Hearing Board may impose sanctions such as probation, suspension or expulsion.

For further information on academic misconduct and its consequences, please consult the Student Code of Conduct and the Academic Misconduct Policy.

Attendance

All students are expected to attend class sessions regularly. However, recognizing individual differences, each student is responsible for his/her own attendance and for making-up any missed study or work. Limited assistance will be offered to those with plausible reasons for absences; unexcused absences will result in the student being totally responsible for the make-up process.

Students with disabilities

Central Connecticut State University provides reasonable accommodations in accordance with the Americans with Disabilities Act and Section 504 of the Rehabilitation Act for students with documented disabilities on an individualized basis. If you are a student with a documented disability, and would like to request academic accommodations, you are encouraged to contact Student Disability Services (SDS) at 860-832-1952, or email disabilityservices@ccsu.edu. Please visit the SDS website to download an Intake form and documentation requirements. Once approved, SDS suggests that students discuss their approved accommodations with their professors, as well as any other additional medical emergency needs. Temporary impairments may also qualify for accommodations. Please note that accommodations are not retroactive and must be requested each semester.

Other statements

Here's a link to a document containing information about other policies and resources.

Grades and evaluation

Students will be evaluated regularly during the semester and should be aware of their progress continuously during the semester. The final course grade will be reported according to the stated University policy.

The final course grade will be calculated according to the following distribution of points:

Course project 35
Homework assignments (3 x 5 pts each) 15
Topic presentations 10
Midterm exam 20
Final exam 20
Total 100

Course letter grade will be determined as follows:

A A- B+ B B- C+ C C- D+ D D- F
94-100 90-93.99 87-89.99 84-86.99 80-83.99 77-79.99 74-76.99 70-73.99 67-69.99 64-66.99 60-63.99 0-59.99